Lawyer's Interpretation: Major Revision of Anti-Money Laundering Law, Current Security Risk Status of Six Major Tracks in the Web 3.0 Industry

Authors: Shao Shiwei, Liu Honglin, Lawyers

On April 23, 2024, the "Anti-Money Laundering Law of the People's Republic of China (Revised Draft)" (hereinafter referred to as "the Revised Draft") was submitted for review at the ninth meeting of the Standing Committee of the 14th National People's Congress. This is the first major revision since the introduction of the Anti-Money Laundering Law in 2007.

Yan Lixin, Executive Director of the China Anti-Money Laundering Research Center at Fudan University, stated that the most important, urgent, and necessary issue to be addressed at the legal level is the money laundering problem involving virtual assets. The use of cryptocurrencies and virtual assets for money laundering is gradually becoming a mainstream trend, but Chinese law lacks a clear definition of the connotation and extension of virtual assets.

As a typical application of blockchain technology, virtual currencies are increasingly being used as tools for money laundering in illegal activities due to their characteristics of anonymity, cross-border nature, non-traceability, and high liquidity. According to statistics from the Ministry of Public Security's Third Research Institute and the OKLink Research Institute, money laundering, fraud, pyramid schemes, and gambling were the four most common forms of virtual currency crimes in 2022, with 54.72% of virtual currency crimes related to money laundering and 21.13% related to fraud. According to incomplete statistics, over 60% of telecom fraud funds are ultimately laundered through virtual currencies.

Although countries around the world have significantly different understandings and attitudes towards blockchain, Web 3.0, and virtual currencies, there is a consensus among countries on anti-money laundering and crime prevention. China became a formal member of the FATF (Financial Action Task Force, the most influential intergovernmental organization for anti-money laundering and counter-terrorist financing) in 2007. In February 2019, China basically passed the FATF's fourth round of evaluation. The FATF pointed out in its follow-up report after the fourth round of evaluation that there are deficiencies in China's anti-money laundering measures for specific non-financial institutions, beneficial ownership systems, anti-money laundering financial sanctions, and on-site inspections by regulatory agencies. China will undergo the fifth round of mutual evaluations by the FATF from 2025 to 2027.

In the future, the use of virtual currencies for money laundering will become a mainstream trend and should be a key focus of regulation in China. In January 2022, the Ministry of Public Security reported at a press conference in Beijing that 259 cases of virtual currency money laundering were solved nationwide in 2021, with virtual currencies valued at over 11 billion yuan confiscated. According to relevant data, currently, 70%-80% of new types of cyber crimes are related to virtual currencies. Statistics from Chengdu Chain Security show that losses from money laundering using virtual currencies exceeded 27.3 billion yuan in 2023.

For entrepreneurs in the Web 3.0 industry, in the context of the first major revision of China's anti-money laundering law, it is necessary to comprehensively understand the potential money laundering and other security risks, legal risks, and the serious consequences that may arise, and to take corresponding measures to prevent and mitigate these risks. This is not only related to the stable operation of projects and the healthy development of the entire industry but also concerns national security, social public interests, and financial order.

The above text is from Lawyer Shao Shiwei.

This theme is divided into three main parts:

• The current security risk status of six major tracks in the Web 3.0 industry
• Whether domestically or internationally, Web 3.0 entrepreneurs should pay attention to anti-money laundering compliance
• In the context of tightening global anti-money laundering regulations, how should Web 3.0 industry entrepreneurs respond?

This article is the first part of this theme - "The Current Security Risk Status of Six Major Tracks in the Web 3.0 Industry". This section explains the inherent security risks of the Web 3.0 industry and the risks of these industries being used as money laundering tools from the perspective of the six major industries of Web 3.0. The aim is to reveal potential threats within the industry and raise awareness among practitioners regarding anti-money laundering risk and legal compliance.

As the six major tracks of the Web 3.0 industry, public chains, cross-chain bridges, trading platforms, wallets, DeFi, and NFTs experienced a total of 435 security incidents in 2023, resulting in losses of approximately $7.983 billion (equivalent to about 57.8 billion yuan).

Public Chains

Overview:

Public chains are decentralized cloud servers built using blockchain technology to host and run various decentralized applications, serving as the foundational network service for Web 3.0. Typical representatives include BTC, ETH, BSC, SOL, etc. All public chains strive to achieve high levels of decentralization, security, and performance, but this is a "trilemma." For example, the BTC public chain sacrifices performance for decentralization and security, while ETH sacrifices security for decentralization and performance.

According to incomplete statistics, as of December 2023, there are currently 194 public chains. In terms of public chain ecosystem market capitalization, according to Coingecko data, Ethereum, BNB Chain, and Solana rank in the top three. Currently, the total market capitalization of public chain ecosystems has exceeded one trillion dollars. As of December 2023, there have been 13 security incidents in the public chain track, with total asset losses exceeding $280 million.

Currently, many public chains are interconnected through cross-chain bridge technology. This characteristic means that once a public chain encounters problems, the impact can quickly spread to other connected public chains, creating a chain reaction. This rapid spread not only exacerbates the severity of the problem but also makes it quite challenging to handle, posing a serious threat to the stability and security of the entire public chain ecosystem.

Typical Cases:

On October 7, 2022, the smart contract platform Binance Chain (BNB Chain) was attacked by hackers. In just two hours, hackers created 2 million BNB out of thin air and cross-chained them to other public chains, then exchanged the "fake BNB" for real money through decentralized exchanges on each public chain, amounting to over $700 million.

Cross-Chain Bridges

Overview:

Since each public chain is not interconnected, when investors engage in activities such as investment and staking on different public chains, they are limited by the consensus mechanisms of different chains. When investors need to consolidate or transfer assets, cross-chain technology is required. Cross-chain bridges are the necessary "bridges" for technical and asset transmission; they are not physical "bridges" but rather protocols and technologies that allow users to transfer assets between different public chains. According to statistics, there were 7 cross-chain bridge attack incidents in the first half of 2022, resulting in total losses of approximately $1.13599 billion.

According to Chainalysis data, in 2023, the use of bridging protocols for money laundering by illegal actors significantly increased, especially in cryptocurrency theft cases. As shown in the figure, bridging protocols received $743.8 million in cryptocurrency from illegal addresses in 2023, compared to only $312.2 million in 2022. For example, the North Korean hacker group Lazarus Group has combined cross-chain bridges with mixing technology as an important means of money laundering.

Typical Cases:

1. Funds Stolen from Ronin Chain

On the evening of March 29, 2022, funds on the Ronin Chain behind the blockchain game Axie Infinity were stolen. The theft occurred on March 23 but was not discovered until March 29. The loss from this attack was approximately $624 million (including 173,600 ETH and 25.5 million USDC), making it the most severe cross-chain bridge security incident to date. The stolen funds from Ronin have not been recovered, and users were ultimately compensated by Axie Infinity and Ronin Chain developer Sky Mavis.

2. Cross-Chain Project Used for Money Laundering

On August 10, 2022, blockchain analytics company Elliptic reported that the cross-chain protocol RenBridge was used for at least $540 million in illegal money laundering transactions.

On May 21, 2023, Zhao Jun, CEO of the well-known cross-chain project Multichain, was taken away by domestic police from his home, and the global Multichain team lost contact with him. According to public media reports, Multichain was arrested for its involvement in laundering money for criminal groups, with significant amounts involved.

Trading Platforms

Overview:

Trading platforms, or cryptocurrency exchanges, primarily provide services for buying and selling virtual currencies, storing and managing virtual assets for users, and offering virtual asset lending services. According to Coingecko data, as of December 2023, there are 887 cryptocurrency exchanges, including 224 centralized exchanges, 663 decentralized exchanges, and 94 derivatives exchanges. In 2023, there were 19 security incidents involving cryptocurrency exchanges, with total asset losses exceeding $1.2 billion.

Typical Cases:

On November 21, 2023, the U.S. Department of Justice announced that Binance Holdings Limited, which operates the world's largest cryptocurrency exchange Binance.com, acknowledged involvement in suspected money laundering, unlicensed remittances, and violations of sanctions, agreeing to pay a fine of $4.3 billion (with $2.5 billion confiscated and $1.8 billion in criminal fines). Meanwhile, Binance founder and CEO Changpeng Zhao admitted that he failed to maintain an effective anti-money laundering program and has resigned from his position as CEO of Binance.

At 4:36 PM on November 21, Binance founder Changpeng Zhao tweeted that he had resigned as CEO of Binance that day, stating, "I made mistakes, and I must take responsibility."

The U.S. Department of Justice pointed out that Binance did not implement an effective anti-money laundering program. For many years, Binance allowed users to open accounts and trade without submitting any identity information other than an email address. At the same time, U.S. sanctions laws prohibit U.S. persons from trading with clients subject to U.S. sanctions, including clients from jurisdictions under comprehensive sanctions such as Iran. Nevertheless, Binance did not implement controls to prevent U.S. users from trading with Iranian users, leading to over $898 million in transactions between U.S. users and users typically residing in Iran from January 2018 to May 2022 due to Binance's willful negligence.

"Binance turned a blind eye to its legal obligations in pursuit of profit. Its willful negligence allowed funds to flow through its platform to terrorists, cybercriminals, and child abusers," said U.S. Treasury Secretary Janet Yellen. "To ensure compliance with U.S. laws and regulations, today's historic penalties and oversight mark a milestone for the virtual currency industry. Any institution wishing to benefit from the U.S. financial system, regardless of its location, must comply with the requirements to protect all of us from the threats of terrorists, foreign adversaries, and criminals, or face consequences." According to technology site GeekWire, Judge Jones stated in court that Binance's specific violations of the federal Bank Secrecy Act were "unprecedented in quantity, scale, and scope," and that it essentially ignored potential terrorism financing and drug trafficking.

On April 30, 2024, Binance founder and former CEO Changpeng Zhao was sentenced to four months in prison for failing to prevent money laundering at the exchange.

Wallets

Overview:

Web 3.0 wallets, also known as cryptocurrency wallets or digital asset wallets, are tools for storing, managing, and using digital currencies. According to statistics, as of December 2023, there are 153 digital wallet projects. In 2023, there were 35 security incidents involving digital wallets, with total asset losses exceeding $600 million.

Money laundering crimes related to digital wallets mainly manifest in two aspects: first, insufficient security performance of the wallet itself leading to hacking and loss of user assets; second, due to the lack of KYC requirements for digital wallets, which only require an address (a string of numbers and letters), without the need for intermediaries like banks, their anonymity and cross-border characteristics make them naturally suitable as tools for money laundering by criminals.

Typical Cases:

1. Hot Wallet Theft Alphapo is a centralized cryptocurrency payment service provider for gambling, e-commerce, subscription services, and other online platforms. On July 23, 2023, Alphapo's hot wallet was hacked, resulting in a loss of approximately $60 million, including Ethereum, TRON, and BTC. The stolen funds were first exchanged for ETH on Ethereum and then cross-chained to Avalanche and BTC networks.

2. The First Case of Money Laundering Using Digital Renminbi in China On November 2, 2021, the public security department of Xinmi City, Henan Province, solved a telecom network fraud case in which the fraud group used digital renminbi for money laundering to evade law enforcement. This is reportedly the first case in China involving money laundering using digital renminbi since its trial implementation.

0 5 DeFi, the Hard-Hit Area in Blockchain Anti-Money Laundering

Overview:

DeFi, or decentralized finance, is a decentralized protocol used to build an open financial system. In the current DeFi ecosystem, there are various types of projects, mainly including trading, lending, asset management, stablecoins, financial facilities, insurance, derivatives, trading platforms, and more. According to statistics, from the perspective of various Web 3.0 project tracks, DeFi remains the most frequently attacked area. In 2023, there were a total of 282 security incidents in DeFi, accounting for 60.77% of the total incidents, with losses reaching $773 million.

Most DeFi products are built on smart contracts and interactive protocols, with code generally being open-source. In the increasingly large DeFi ecosystem, the combination and circulation of different DeFi products and asset sharing have led to an increasing number of security issues. According to a report from the foreign blockchain company Chainalysis, the proportion of funds sent from illegal addresses to cryptocurrency service institutions that are DeFi is increasing. In 2021, illegal funds received by DeFi projects grew by approximately 1900% compared to 2020, accounting for 19% of all monitored illegal funds. By 2022, DeFi protocols had become the largest recipients of illegal funds, accounting for 69% of all funds sent from addresses associated with criminal activities.

Typical Cases:

North Korean Hackers Using DeFi Protocols for Money Laundering According to a 2021 case provided by Chainalysis, the North Korean hacker group Lazarus Group used several DeFi protocols to launder money after stealing over $91 million in cryptocurrency assets from centralized exchanges. Chainalysis pointed out that the hackers initially stole various ERC-20 tokens and then used various DeFi protocols to exchange these tokens for Ethereum; the hackers continued to send Ethereum (ETH) to mixers and then used DeFi protocols to exchange them again, this time for Bitcoin (BTC), which was then transferred to several centralized exchanges for liquidation and cash receipt.

NFT

Overview:

NFT (Non-Fungible Token) is a type of digital asset stored on the blockchain, characterized by uniqueness, scarcity, and indivisibility. It is mainly applied in games, artworks, and domain names. According to incomplete statistics, as of December 2023, there were a total of 44 security incidents in the NFT track, with total asset losses amounting to approximately $62 million.

Typical Cases: NFT Wash Trading

According to Chainalysis statistics, in the third and fourth quarters of 2021, the vast majority of illegal cryptocurrency assets related to NFTs came from addresses associated with fraud, which purchased NFTs with cryptocurrencies. Additionally, a large amount of stolen funds were sent to NFT markets.

According to analysis data confirming the profit situation of wash traders, there are 262 user addresses that belong to habitual NFT wash traders, of which 152 did not make a profit, while the other 110 made nearly $8.9 million through wash trading.